On July 13, 2025, a developer at the Department of Government Efficiency—DOGE—accidentally pushed a private xAI API key to GitHub. That key unlocked access to 52 unreleased LLMs, including Grok‑4‑0709, and remained active long after discovery.
In this episode of Cyberside Chats, we examine how a single leaked credential became a national-level risk—and how it mirrors broader API key exposures at BeyondTrust and across GitHub. LMG Security’s Director of Penetration Testing, Tom Pohl, shares red team insights on how embedded secrets give attackers a foothold—and...
On July 13, 2025, a developer at the Department of Government Efficiency—DOGE—accidentally pushed a private xAI API key to GitHub. That key unlocked access to 52 unreleased LLMs, including Grok‑4‑0709, and remained active long after discovery.
In this episode of Cyberside Chats, we examine how a single leaked credential became a national-level risk—and how it mirrors broader API key exposures at BeyondTrust and across GitHub. LMG Security’s Director of Penetration Testing, Tom Pohl, shares red team insights on how embedded secrets give attackers a foothold—and what CISOs must do now to reduce their exposure.
Key Takeaways:
- Treat leaked API keys like a full-blown incident—whether it’s your code or a vendor’s.
Monitor for exposure and misuse. Include secrets in IR playbooks—even when it’s third-party code.
- Ask your vendors the hard questions about secrets management.
Do they rotate keys? Use a secrets manager? How quickly can they revoke?
- Scan your environment for exposed secrets, even if you don’t develop software.
Look for credentials in cloud configs, automation, scripts, SaaS tools.
- Make sure your penetration testing team searches for secrets as part of their processes.
Secrets can show up in unexpected places—firmware, config files, build artifacts. Your red team or vendor should actively hunt for exposed keys, hardcoded credentials, and reused certs across applications, infrastructure, and third-party tools.
- Train your IT staff and developers to remove secrets from code and automate detection.
Use GitGuardian, TruffleHog, and a secrets manager like AWS Secrets Manager or HashiCorp Vault.
References:
- Exposed Secrets, Broken Trust: What the DOGE API Key Leak Teaches Us About Software Security – LMG Security: https://www.LMGsecurity.com/exposed-secrets-broken-trust-what-the-doge-api-key-leak-teaches-us-about-software-security/
- "Private Keys in Public Places” - DEFCON talk by Tom Pohl, LMG Security: https://www.youtube.com/watch?v=7t_ntuSXniw
- DOGE employee leaks private xAI API key from sensitive database – TechRadar: https://www.techradar.com/pro/security/doge-employee-with-sensitive-database-access-leaks-private-xai-api-key
#DOGEleak #cybersecurity #cybersecurityawareness #ciso #infosec #itsecurity
View more
